PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Bug in Free Demo Let You See Location Data on Any Cell Phone

A software bug in a free online demo from data aggregator LocationSmart could've let anyone search for real-time cell phone location data from millions of devices.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Want to learn someone's location? Due to some shoddy programming, a US company that hoards cell phone data accidentally gave anyone the disturbing power to do this.

LocationSmart specializes in collecting cell phone data from US wireless carriers as a way to help businesses understand their customers. According to its website, the California company has location data on over 400 million devices.

However, LocationSmart appears to have been careless with that data. A computer scientist noticed on Wednesday that an online demo for one of the company's services could let anyone plug in a cell phone number, and pull up the device's location.

The searches were supposed to be limited to only cell phone numbers that had granted consent to the location lookups. To do this, the demo would text or call the phone number and request permission from the owner.

LocationSmart Demo

Unfortunately, the demo contained a software bug, according to Robert Xiao, a PhD candidate at Carnegie Mellon University. He was digging around the demo and noticed a flaw in the system's API that can let you make cell phone location searches without obtaining the owner's consent.

Xiao disclosed the vulnerability to security journalist Brian Krebs, who verified that the LocationSmart demo could, indeed, pull up someone's approximate location; he and Xiao tested it on five of Krebs' trusted sources.

"One of those sources said the longitude and latitude returned by Xiao's queries came within 100 yards of their then-current location," Krebs wrote on Thursday. "Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately 1/5 to 1/3 of a mile at the time."

How long the bug has been around isn't known, but LocationSmart appears to have taken the demo offline.

Xiao was investigating the company amidst news that it was supplying location data to a little-known prison technology firm called Securus Technologies. Last week, a US senator revealed that Securus was also providing cell phone location lookups to law enforcement and correctional officers without a warrant.

So far, LocationSmart and Securus haven't commented. But their practices are raising serious questions over why US wireless carriers are handing so much private data to third-party companies, when no controls appear to be in place.

The major wireless providers haven't detailed their relationships with LocationSmart or Securus. But on Thursday, an AT&T spokesman said: "We don't permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action."

UPDATE 5/18/18: In a statement, LocationSmart said: "We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission."

"On that day (May 16) as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao's public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio